Use shell=False in subprocess Function Calls

[pixeebot]

This codemod sets the shell keyword argument to False in subprocess module function calls that have set it to True.

Setting shell=True will execute the provided command through the system shell which can lead to shell injection vulnerabilities. In the worst case this can give an attacker the ability to run arbitrary commands on your system. In most cases using shell=False is sufficient and leads to much safer code.

The changes from this codemod look like this:

 import subprocess
- subprocess.run("echo 'hi'", shell=True)
+ subprocess.run("echo 'hi'", shell=False)

More reading

• https://docs.python.org/3/library/subprocess.html#security-considerations
• https://en.wikipedia.org/wiki/Code_injection#Shell_injection
• https://stackoverflow.com/a/3172488
• https://cwe.mitre.org/data/definitions/78

I have additional improvements ready for this repo! If you want to see them, leave the comment:

@pixeebot next

... and I will open a new PR right away!

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: pixee:python/subprocess-shell-false

[pixeebot]

I'm confident in this change, but I'm not a maintainer of this project. Do you see any reason not to merge it?

If this change was not helpful, or you have suggestions for improvements, please let me know!

[pixeebot]

Just a friendly ping to remind you about this change. If there are concerns about it, we'd love to hear about them!

[pixeebot]

This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know!

You can also customize me to make sure I'm working with you in the way you want.